control/limit users to search or view the data stored in specific directories

Path Finder

control/limit users to search or view the data stored in specific directories

What I am trying to achieve is

limit "user 1" to search the data stored in "Directory 1" only and "user 2" to view/search "Directory 2" only

What I did is similar to

(1) create two new indexes, say I1 & I2 (2) splunk stop; splunk clean eventdata; splunk start; login as admin (3) create two new roles R1 & R2, assign I1 to R1 as the selected search index (the last configuration in the creating a role) and similarly assign I2 to R2. (4) create two new users U1 & U2, assign U1 (U2) as role R1 (U2) (5) manage data inputs --> file & directory --> add directory D1, and set the index I1. Similar handled D2 and I2.

If logged in as U1, index I2 did not show in the summary page. However, I can still put "index=I2" in the search bar to see the data indexed by I2 (essentially the data stored in directory D2). Anyone could help which is the problem?

Tags (1)
0 Karma

Path Finder

I did check authorize.conf which located in "\Splunk\etc\system\local", it reads ""


importRoles = user

rtSrchJobsQuota = 0

rtsearch = enabled

srchDiskQuota = 0

srchIndexesAllowed = c5only

srchIndexesDefault = c5only

srchJobsQuota = 0

If I logged as one user assigned role "c5viewer," I can only see data indexed by c5only in the search summary page. But I can still retrieve data indexed by r2only (a different index) if putting


in the search bar. The results come with all the data indexed by "r2only"

Any thoughts what can be the issue?

0 Karma

Splunk Employee
Splunk Employee

It sounds like it had you configure the Indexes Searched by Default. If you go into the role config, you should be able to specify Available Search Indexes. Do you see any indexes listed there? You can also look for srchIndexesAllowed in authorize.conf. You may also need to restart splunk (killing all user sessions and re-reading config files) to get it to take effect.